Linking OpenStack Workloads to the Public Cloud Using SD-WAN

Shannon McFarland - CCIE #5245Distinguished Engineer - Cisco Office of the Cloud CTO

@eyepv6

Linking OpenStack Workloads to the Public Cloud Using SD-WAN

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Agenda

• Hybrid/Multicloud Options

• SD-WAN Overview

• Cisco SD-WAN Cloud onRamp (CoR) - Linking OpenStack to the Public Cloud

• Summary

2

Hybrid/Multicloud Networking Options


Cloud Service Provider - Native IPsec VPN Service

4

Default Network10.138.0.0/20

IPsec/IKEv2

Google Cloud VPN

Google Cloud Router

BGP

Enterprise Edge

OpenStack

HYPERVISOR

VM VM VM

pod pod pod

VM VM VM

Data Center

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

Virtual RoutersPer-VPC Virtual Router

Private Network(s)

On-Premises

VPC Subnet(s)

VPCRouter

Virtual Router IPsec

Physical/Virtual Routers

Transit VPC: Virtual Router + Per-VPC Virtual Router

Private Network(s)VPC Subnet(s)

VPCRouter

Virtual Router

Transit VPC

IPsec On-PremisesPhysical/Virtual Routers

Virtual Router

Transit VPC: Virtual Router + CSP VPN


VPCRouter

VPNGateway

Virtual Router

Transit VPC

IPsec On-PremisesPhysical/Virtual Routers


Colocation - With or Without VPN

Cisco SD-WAN + Some Combo of Colocation/peering

Private Network(s)

On-Premises

VPC Subnet(s)

VPCRouter

VPNGateway

Virtual Router

Physical/Virtual Router

DX Endpoint

VLANs

IPsecIPsec


VPCRouter

VPNGateway

Virtual Router

DX Endpoint

VLANs

Physical/Virtual Router

IPsecOn-Premises

Cisco Routers or Firewalls + Some Combo of Colocation/peering

7© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Multicloud Topologies With OpenStack

OpenStack

VM

NeutronRouter

+ VPNaaS

VPNaaS BasedMulticloud Networking

Data Center Infra.

TOR(s)

Internet Edge Infra.

VPN/CoLo

Virtual Router BasedMulticloud Networking

Data Center Infra.

OpenStack

TOR(s)


VPN/CoLo

VM

VirtualRouter

NeutronRouter

OpenStack

VM

NeutronRouter

Hardware/Software BasedMulticloud Networking

Data Center Infra.

TOR(s)


VPN/CoLo

*Also, provider networks

SD-WAN Overview


Cisco SD-WAN Architecture

9

Management Plane- vManage- UI- Policies, templates- Monitoring

Control Plane- vSmart- Fabric discovery- Control plane policies

Data Plane- vEdge/cEdge

APIs

vSmart Controllers

vAnalytics 3rd PartyAutomation

vManage

Data Center Campus Branch SOHOCloud

vBond

vEdge/cEdge Routers

4GMPLS

INET

Orchestration Plane- vBond- Orchestrates control

and mgmt. plane- First point of auth


We Can Do This The Easy Way or Hard Way

1) Design it

2) Deploy the Control Plane

3) Deploy the On-Premises Data Plane (to include connections to OpenStack)

4) Create/Gather your Public Cloud Credentials/Roles

5) Deploy the Transit VNet/VPCs via Cloud onRamp

6) Map the application/host VNet/VPCs to the Transit

7) Deploy Policy(s) that Meets Your Requirements

8) Have a Nice Day! J

I’ll explain the hard stuff, but..

We will talk aboutthese two

Cisco SD-WAN Cloud onRamp for IaaS - Azure


Cloud OnRamp IaaS for Azure


Cisco SD-WAN CoR for Azure

0.4

Container

Vnet0-subnet 10.16.241.0/24

Vnet0 Host VNet (10.16.0.0/16)

VPN GW

VPN Tunnels

40.85.x.x40.85.x.x

168.61.x.x168.61.x.x

Gateway Subnet 10.16.250.0/28

BGP Instance 1 10.16.250.4

BGP Instance 2 10.16.250.5A

S 6

5512 AS 65512:192.168.250.1

AS 65512:192.168.250.5

AS 65512:192.168.250.9 AS 65512:192.168.250.13

GatewayVNet

Transport VPN

Service VPN

Transport VPN

Service VPN

Management VPN

vpn0

10.0.32.5

vpn

512

10.0

.0.4

Management VPN

vpn

010

.0.3

2.4

vpn

512

10.0

.0.5

az-tz-vnet

vpn 1 192.168.254.1

vpn 1 192.168.254.2

Enterprise Edge

OpenStack

HYPERVISOR

VM VM VM

pod pod pod

VM VM VM

Data Center

Tenant Subnet

10.1.1.0/24

vManage vBond vSmart


Azure – Host VNet –to- Transit VNet Mapping - IPsec

interface ipsec9ip address 192.168.250.1/30tunnel-source 10.0.32.5tunnel-destination 168.61.x.xikeversion 2rekey 28800cipher-suite aes128-cbc-sha1group 2authentication-typepre-shared-keypre-shared-secret <PSK_HERE>!!!ipsecrekey 3600replay-window 512cipher-suite aes256-cbc-sha1perfect-forward-secrecy none

vEdge-Cloud – Transit VNet

0.4

Container

Vnet0-subnet 10.16.241.0/24

Vnet0vpn 1

192.168.254.1

GatewayVNet

Transport VPN

Service VPN

Management VPN

vpn0

10.0.32.5

vpn

512

10.0

.0.4

az-tz-vnet

Host VNet (10.16.0.0/16)

VPN GW

VPN Tunnels

40.85.x.x168.61.x.x



AS

655

12 AS 64600:192.168.250.1

Source NATed to 40.85.x.x


Azure – Host Vnet –to- Transit VNet Mapping - BGP

vpn 1routerbgp 64600timersholdtime 30!address-family ipv4-unicastnetwork 0.0.0.0/0!neighbor 10.16.250.4no shutdownremote-as 65512update-source ipsec9ebgp-multihop 2

vEdge-Cloud – Transit VNet

# az network vnet-gateway list-advertised-routes --name COR_Vnet0_Virtual_Network_Gateway --peer 192.168.250.1 --output yamlvalue:- asPath: '65512'localAddress: 10.16.250.4network: 10.16.0.0/16nextHop: 10.16.250.4origin: IgpsourcePeer: null

0.4

Container

Vnet0-subnet 10.16.241.0/24

Vnet0vpn 1

192.168.254.1

GatewayVNet

Transport VPN

Service VPN

Management VPN

vpn0

10.0.32.5

vpn

512

10.0

.0.4

az-tz-vnet

Host VNet (10.16.0.0/16)

VPN GW

VPN Tunnels

40.85.x.x168.61.x.x



AS

655

12 AS 64600:192.168.250.1

transit-az-01# show ip routeOUTPUT OMITTED...

PROTOCOL NEXTHOP NEXTHOP NEXTHOPVPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS-------------------------------------------------------------------------------------------------------------------------------------1 10.16.0.0/16 bgp i - 10.16.250.4 - - - - F,S,R

Advertised

Received


Transit VNet –to- On-Premises - IPsectransit-az-01## show ipsec outbound-connectionsOUTPUT SUMMARIZED...

SOURCE SOURCE DEST DEST REMOTE REMOTE AUTHENTICATIONIP PORT IP PORT SPI TUNNEL MTU TLOC ADDRESS TLOC COLOR USED --------------------------------------------------------------------------------------------------------------------------------------10.0.32.5 12386 <ON_PREMISES_vEDGE_PUBLIC_IP> 12426 275 1441 1.1.1.4 public-internet AH_SHA1_HMAC

Transit VNet vEdge - IPsec

vedge-01# show ipsec outbound-connectionsOUTPUT SUMMARIZED...

SOURCE SOURCE DEST DEST REMOTE REMOTE AUTHENTICATIONIP PORT IP PORT SPI TUNNEL MTU TLOC ADDRESS TLOC COLOR USED --------------------------------------------------------------------------------------------------------------------------------------<ON_PREMISES_vEDGE_PUBLIC_IP> 12426 <TRANSIT-vEDGE-EIP> 12386 286 1441 40.1.1.1 default AH_SHA1_HMAC<ON_PREMISES_vEDGE_PUBLIC_IP> 12426 <TRANSIT-vEDGE-EIP> 12386 259 1441 40.1.1.2 default AH_SHA1_HMAC

On-Premises vEdge - IPsec

vedge

On-Premises

Transport VPN

Transport VPN

vpn0

10.0.32.5

vpn

010

.0.3

2.4

System IP (TLOC): 40.1.1.1



OpenStack

HYPERVISOR

VM VM VM

pod pod pod

VM VM VM

Data

Cen

ter

Infra

.


Transit VNet –to- On-Premises - BGP/OMPtransit-az-01# show ip routeOUTPUT SUMMARIZED...

PROTOCOL NEXTHOP NEXTHOP NEXTHOPVPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS--------------------------------------------------------------------------------------------------------------------------------------1 10.1.1.0/24 omp - - - - 1.1.1.4 public-internet ipsec F,S1 10.16.0.0/16 bgp i - 10.16.250.4 - - - - F,S,R

Transit VNet vEdge - BGP/OMP

vedge-01# show ip route OUTPUT SUMMARIZED...

PROTOCOL NEXTHOP NEXTHOP NEXTHOPVPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS--------------------------------------------------------------------------------------------------------------------------------------1 10.1.1.0/24 connected - ge0/1 - - - - - F,S1 10.16.0.0/16 omp - - - - 40.1.1.1 default ipsec F,S1 10.16.0.0/16 omp - - - - 40.1.1.2 default ipsec F,S

On-Premises vEdge - Connected/OMP

0.4

Container

Vnet0-subnet 10.16.241.0/24

Vnet0

vpn 1 192.168.254.1

GatewayVNet

Transport VPN

Service VPN10.0.32.5

Host VNet (10.16.0.0/16)

VPN GW

VPN Tunnels

40.85.x.x

168.61.x.x



AS

655

12

AS 64600:192.168.250.1 vedge


vpn0


OpenStack

HYPERVISOR

VM VM VM

pod pod pod

VM VM VM

Data

Cen

ter

Infra

.

10.1.1.0/24


Verify Routing and Reachability... Output summarized

# az container attach --resource-group CtoRG -n appcontainerContainer 'appcontainer' is in state 'Running'...(count: 1) (last timestamp: 2019-03-26 18:18:20+00:00) pulling image "microsoft/aci-helloworld"(count: 1) (last timestamp: 2019-03-26 18:18:26+00:00) Successfully pulled image "microsoft/aci-helloworld"(count: 1) (last timestamp: 2019-03-26 18:18:29+00:00) Created container(count: 1) (last timestamp: 2019-03-26 18:18:29+00:00) Started container

Start streaming logs:listening on port 80::ffff:10.1.1.106 - - [26/Mar/2019:20:48:44 +0000] "GET / HTTP/1.1" 200 1663 "-" "Wget"::ffff:10.1.1.106 - - [26/Mar/2019:20:48:56 +0000] "GET / HTTP/1.1" 200 1663 "-" "Wget"::ffff:10.1.1.106 - - [26/Mar/2019:21:09:24 +0000] "GET / HTTP/1.1" 200 1663 "-" "Wget"

From the public cloud container watch the connection log from the on-premises OpenStack VM (10.1.1.106)

[centos@os-vm1 ~]$ ping 10.16.241.4PING 10.16.241.4 (10.16.241.4): 56 data bytes64 bytes from 10.16.241.4: seq=1 ttl=61 time=5.069 ms64 bytes from 10.16.241.4: seq=2 ttl=61 time=4.446 ms

On an on-premises OpenStack VM, ping the container that is running in the public cloud (10.16.241.4)

[centos@os-vm1 ~]$ wget -O - http://10.16.241.4Connecting to 10.16.241.4 (10.16.241.4:80)<html><head><title>Welcome to Azure Container Instances!</title>

On the on-premises OpenStack VM, wget to the Azure Container Instance (10.16.241.4)


Cisco SD-WAN CoR for AzureTraffic Flow Example

Neutron Network

vedge

vManage vBond vSmart

On-Premises

0.4

Container

Vnet0-subnet 10.16.241.0/24

Vnet0vpn 1

192.168.254.1

vpn 1 192.168.254.2

GatewayVNet

Transport VPN

Service VPN

Transport VPN

Service VPN

Management VPN

vpn0

10.0.32.5

vpn

512

10.0

.0.4

Management VPN

vpn

010

.0.3

2.4

vpn

512

10.0

.0.5

az-tz-vnet

Host VNet (10.16.0.0/16)

VPN GW

VPN Tunnels

40.85.x.x40.85.y.y

168.61.x.x168.61.y.y



BGP Instance 2 10.16.250.5A

S 6

5512 AS 64600:192.168.250.1

AS 64600:192.168.250.5

AS 64600:192.168.250.9 AS 64600:192.168.250.13

[centos@os-vm1 ~]$ traceroute 10.16.241.4 -ntraceroute to 10.16.241.4 (10.16.241.4), 30 hops max, 46 byte packets1 10.1.1.137 0.153 ms 0.202 ms 0.173 ms2 192.168.254.1 2.453 ms 2.535 ms 2.566 ms3 168.61.17.148 4.272 ms 3.467 ms 3.287 ms4 10.16.241.4 5.123 ms 4.123 ms 4.206 ms

10.1.1.137 VM10.1.1.106

Cisco SD-WAN Cloud onRamp for IaaS - AWS


Cisco SD-WAN CoR for AWSGatewayVpc

Transport VPN

Service VPN

Transport VPN

Service VPN

Management VPN

vpn0

172.18.0.52

vpn

512

172.

18.0

.9

Management VPN

vpn

017

2.18

.0.1

35vp

n51

217

2.18

.0.1

21

vpn 1 192.168.253.3

vpn 1 192.168.253.4

Enterprise Edge

OpenStack

HYPERVISOR

VM VM VM

pod pod pod

VM VM VM

Data Center

Tenant Subnet

10.1.1.0/24

vManage vBond vSmartHostVpc (172.16.0.0/16)

Private01Subnet01172.16.0.0/24

VPCRouter

VPN GW (VGW)

VPN Tunnel

VPN Tunnel

EIP

EIP

EC2 Instance

.155

Link Them Altogether


Cisco SD-WAN and Multicloud

23

SD-WAN

AWS VPN GW

vEdge

Transit VPC

vEdge

Transit VPC

Azure VPN GW

Internet

Container

10.16.241.4

172.16.0.155

VM

10.1.1.106vEdge


SD-WAN Multicloud Routingtransit-az-01# show ip routeOUTPUT SUMMARIZED...

PROTOCOL NEXTHOP NEXTHOP NEXTHOPVPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS--------------------------------------------------------------------------------------------------------------------------------------1 10.1.1.0/24 omp - - - - 1.1.1.4 public-internet ipsec F,S1 10.16.0.0/16 bgp i - 10.16.250.4 - - - - F,S,R1 172.16.0.0/16 omp - - - - 50.1.1.1 default ipsec F,S

Transit VNet vEdge - BGP

vedge-01# show ip route OUTPUT SUMMARIZED...

PROTOCOL NEXTHOP NEXTHOP NEXTHOPVPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS--------------------------------------------------------------------------------------------------------------------------------------1 10.1.1.0/24 connected - ge0/1 - - - - - F,S1 10.16.0.0/16 omp - - - - 40.1.1.1 default ipsec F,S1 172.16.0.0/16 omp - - - - 50.1.1.1 default ipsec F,S

On-Premises vEdge - IPsec

transit-aws-01# show ip routeOUTPUT SUMMARIZED...

PROTOCOL NEXTHOP NEXTHOP NEXTHOPVPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS--------------------------------------------------------------------------------------------------------------------------------------1 10.1.1.0/24 omp - - - - 1.1.1.4 public-internet ipsec F,S1 10.16.0.0/16 omp - - - - 40.1.1.1 default ipsec F,S1 172.16.0.0/16 bgp e ipsec2 169.254.9.241 - - - - F,S

Transit VPC vEdge - BGP

Policies & Routing


Internet Exit Routing Considerations (1)• By default, Cloud onRamp reconfigures the VPC/VNet route tables so that all traffic

traverses the transit vEdges - Great for Enterprise InfoSec policies

PS Azure:\> Get-AzureRmEffectiveRouteTable -NetworkInterfaceName corvm444 -ResourceGroupName CtoRG | Format-Table

Name State Source AddressPrefix NextHopType NextHopIpAddress---- ----- ------ ------------- ----------- ----------------

Active Default {10.16.0.0/16} VnetLocal {}Active VirtualNetworkGateway {192.168.250.1/32} VirtualNetworkGateway {10.16.250.4}Active VirtualNetworkGateway {192.168.250.9/32} VirtualNetworkGateway {10.16.250.5}Active VirtualNetworkGateway {0.0.0.0/0} VirtualNetworkGateway {10.16.250.4}Active VirtualNetworkGateway {0.0.0.0/0} VirtualNetworkGateway {10.16.250.5}

Azure Route Table After CoR:

PS Azure:\> Get-AzureRmEffectiveRouteTable -NetworkInterfaceName corvm444 -ResourceGroupName CtoRG | Format-Table

Name State Source AddressPrefix NextHopType NextHopIpAddress---- ----- ------ ------------- ----------- ----------------

Active Default {10.16.0.0/16} VnetLocal {}Active Default {0.0.0.0/0} Internet {}Active Default {10.0.0.0/8} None {}Active Default {100.64.0.0/10} None {}Active Default {192.168.0.0/16} None {}

Azure Route Table Before CoR:

26


Internet Exit Routing Considerations (2)• If you want to have specific traffic or all non-on-premises traffic leave the transit

vEdges directly:• https://sdwan-

docs.cisco.com/Product_Documentation/Software_Features/Release_18.4/07Policy_Applications/04Using_a_vEdge_Router_as_a_NAT_Device/Configuring_Local_Internet_Exit• Perform NAT on a WAN/Transport VPN (e.g., VPN 0) for specific or all destinations not found in the transit

routing table• Create a Data Policy to do NAT per-VPN for specific or all destinations not found in the transit routing table

vpn 0interface ge0/0nat

!vpn 1ip route 0.0.0.0/0 null0ip route x.x.x.x/32 vpn 0

Transit vEdge

transit-az-01# show ip routePROTOCOL NEXTHOP NEXTHOP NEXTHOP

VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS------------------------------------------------------------------------------------------------------------------------------------1 x.x.x.x/32 nat - ge0/0 - 0 - - - F,S

0.4

Container

Vnet0-subnet 10.16.241.0/24

vpn 1 192.168.254.1

Transport VPN

Service VPN

10.0.32.5

VPN GW

VPN Tunnel

vpn0

INET

27

NAT

https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.4/07Policy_Applications/04Using_a_vEdge_Router_as_a_NAT_Device/Configuring_Local_Internet_Exit

Summary


Cisco SD-WAN and Multicloud

29

VNet Subnet

SD-WAN

VPC Subnet

AWS VPN GW

VPC Subnet

Google Cloud VPN

vEdge

Transit VPC

vEdge

Transit VPC

vEdge

Transit VPC

Azure VPN GW

Branch

Branch

DC

MPLS

DC

Internet


Cisco SD-WAN• Cisco SD-WAN (vEdge) on AWS: https://sdwan-

docs.cisco.com/Product_Documentation/Getting_Started/Viptela_Overlay_Network_Bringup/07Deploy_the_vEdge_Routers/01Create_vEdge_Cloud_VM_Instance_on_AWS

• AWS Marketplace: https://aws.amazon.com/marketplace/pp/B07BZ53FJT

• Cisco SD-WAN on Microsoft Azure: https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Viptela_Overlay_Network_Bringup/07Deploy_the_vEdge_Routers/02Create_vEdge_Cloud_VM_Instance_on_Azure

• Microsoft Azure Marketplace: https://azuremarketplace.microsoft.com/en-us/marketplace/apps/cisco.cisco_cloud_vedge_4_nics?tab=Overview

• Brand New SD-WAN Design/Deployment Guides: https://www.cisco.com/c/en/us/solutions/design-zone/networking-design-guides/branch-wan-edge.html

Public Cloud Support

30

Reference

https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Viptela_Overlay_Network_Bringup/07Deploy_the_vEdge_Routers/01Create_vEdge_Cloud_VM_Instance_on_AWS

https://aws.amazon.com/marketplace/pp/B07BZ53FJT

https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Viptela_Overlay_Network_Bringup/07Deploy_the_vEdge_Routers/02Create_vEdge_Cloud_VM_Instance_on_Azure

https://azuremarketplace.microsoft.com/en-us/marketplace/apps/cisco.cisco_cloud_vedge_4_nics?tab=Overview

https://www.cisco.com/c/en/us/solutions/design-zone/networking-design-guides/branch-wan-edge.html


Summary

• There are many options for linking on-premises OpenStack workloads to other clouds• Leverage external components to do the work - Usually true when OpenStack operators don’t

‘own’ the network design• Leverage external components to do the work and integrate with OpenStack - Ideal situation

where you get automation from OpenStack and a solid external design/scale - Can we say “plugins?”

• Deploy native appliances/services inside OpenStack to do the work

• SD-WAN greatly simplifies the deployment and operation of a hybrid cloud• Zero-touch provisioning of infrastructure• Dynamic policy deployment feeds the ‘where, when, how, what’ of the design• Leverage built-in features such as WAN optimization, transport failover, health-checking,

application monitoring, etc.

31

Documents

Linking OpenStack Workloads to the Public Cloud Using SD-WAN